Train crash could be to blame for Internet derailment

A train crash in the US cut Internet cables serving seven major ISPs. Was it this, and not Code Red, that derailed the Internet on 18 July?
Written by Wendy McAuliffe, Contributor

The Code Red virus was not to blame for the Internet slowdown experienced in America last month - it was caused by a train crash in the eastern-US city of Baltimore.

According to Internet performance company Keynote, at the time at which Code Red was programmed to start to scan for vulnerable Web servers -- on 18 July -- a CSX train carrying hazardous materials was derailed in the Howard Street tunnel in Baltimore. The subsequent fire severed cables and burnt through a massive Internet pipe serving seven of the biggest US Internet Service Providers (ISPs).

Analysis by Keynote has revealed that the backbone slowdown was specific to those backbones with high-speed connections running through the tunnel. "If the slowdown had been due to the worm, it would not have been selective of the backbones and geography but would have affected all backbones and the Internet as a whole, across geographical boundaries," concludes the Keynote Internet Health Report.

The time-sensitive worm replicates between Windows 2000 servers, and exploits the so-called Index Server flaw. The addresses of the servers that Code Red attacks are generated randomly, but because of a bug, each copy of the worm will try to attack the same list of servers. Once executed, the worm will start to create copies of itself in memory to attack even more IIS servers at the same time.

Keynote claims that when Code Red was at its most rampant last month, it had very little effect upon Internet traffic. In the 48 hours since the worm was programmed to begin re-propagating itself, their analysis shows that "no affect on performance" has been experienced.

"It is very plausible that the two things could have come together -- we never predicted that the Internet would slow down, and we never expected Code Red to have that much impact," said Graham Cluley, senior technology consultant at anti-virus firm Sophos.

By lunchtime on Thursday, reports claimed that 238,967 servers had been affected by the Code Red worm, though it has caused no noticeable disruption to the Internet.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards